Applications of single-qubit rotations in quantum public-key cryptography 



OO 
O 

o 

(N 
OO 



Oh. 



> 
o 

00 
(N 

o 

00 
O 



X 



Georgios M. Nikolopoulos 
Institute of Electronic Structure and Laser, FORTH, 
P. O. Box 1527, Heraklion 711 10, Crete, Greece 
(Dated: February 2, 2008) 

We discuss cryptographic applications of single-qubit rotations from the perspective of trapdoor 
one-way functions and public-key encryption. In particular, we present an asymmetric cryptosystem 
whose security relies on fundamental principles of quantum physics. A quantum public key is used 
for the encryption of messages while decryption is possible by means of a classical private key only. 
The trapdoor one-way function underlying the proposed cryptosystem maps integer numbers to 
quantum states of a qubit and its inversion can be infeasible by virtue of the Holevo's theorem. 
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I. INTRODUCTION 

Modern public-key (or else asymmetric) cryptography 
relies on numerical trapdoor one-way functions, i.e., func- 
tions that are "easy" to compute, but "hard" to invert 
without some additional information (the so-called trap- 
door information) The main characteristic of these 
mathematical objects is that they provide the legitimate 
users with a tractable problem, while at the same time 
any unauthorized user (adversary) has to face a compu- 
tationally infeasible problem. This barrier between le- 
gitimate users and adversaries, due to complexity of ef- 
fort, is the key idea behind most of the known public- key 
cryptosystems. Each participant in such a cryptosystem 
has to have a personal key consisting of two parts, i.e., 
the public and the secret (also known as private) part. 
Messages are encrypted with use of the public key and 
the decryption of the resulting ciphertext is possible by 
means of the private key. 

The security of conventional public-key cryptography 
relies on the hardness of some computational problems 
(e.g., integer factorization problem, discrete logarithm 
problem, etc). These numerical problems are considered 
to be good candidates for one-way functions (OWFs), 
and this belief relies mainly on the large amount of re- 
sources (computing power and time) required for their 
solution using the best known algorithms. Nevertheless, 
the fact that the existence of numerical OWFs has not 
been proved rigorously up to now, makes all of the known 
public-key cryptosystems vulnerable to any future ad- 
vances in algorithms and hardware (e.g., the construction 
of a quantum computer). 

In contrast to the computational security offered by 
conventional public-key schemes, there exist symmetric 
cryptosystems (e.g., one-time pad) which offer provable 
security provided that a secret truly random key is shared 
between the entities who wish to communicate. To- 
day, the establishment of such a key between two parties 
can be achieved by means of quantum key-distribution 
(QKD) protocols 2]. By virtue of fundamental principles 
of quantum mechanics that do not allow passive moni- 
toring and cloning of unknown quantum states [3| , QKD 
protocols provide a solution to the key- distribution prob- 



lem even in the presence of the most powerful adversaries. 
Nevertheless, the key management remains one of the 
main drawbacks of symmetric encryption schemes W\ ■ In 
particular, the problem pertains to large networks where 
each entity needs a secret key with every other entity. 
Hence, the total number of secret keys scales quadrati- 
cally with the number of users in the network. 

One solution to the key-management problem is the 
use of an unconditionally trusted third party which is 
burdened with the key management and acts as a key- 
distribution center (KDC). The main problem with this 
solution, however, is that the KDC itself becomes an at- 
tractive target, while a compromised KDC renters imme- 
diately all communications insecure. An alternative solu- 
tion to the key-management problem is provided by con- 
ventional public-key cryptosystems which are very flex- 
ible but, as we discussed earlier, offer computationally 
security only. 

Clearly, an ideal solution to both of the key- 
distribution and management problems is a quantum 
public-key (asymmetric) cryptosystem, which combines 
the provable security of QKD protocols with the flexibil- 
ity of conventional public-key encryption schemes. The 
development of such a cryptosystem, however, requires 
the existence of quantum trapdoor OWFs. In particular, 
the one-way property of these functions has to rely on 
fundamental principles of quantum theory, rather than 
unproven computational assumptions. 

To the best of our knowledge, the number of related 
theoretical investigations is rather small, and all of them 
pertain to a futuristic scenario where all of the parties 
involved (legitimate users and adversaries) possess quan- 
tum computers. The concept of quantum OWF was first 
introduced in [J, , where the authors demonstrated that 
such a function can be obtained by mapping classical 
bit-strings to quantum states of a collection of qubits. 
Nevertheless, these two papers do not pertain directly 
to public-key encryption, but rather to quantum fin- 
gerprinting [j], and digital signatures [1, Q- Later on, 
Kawachi et al. [tI] investigated the cryptographic prop- 
erties of the distinguishability problem between two ran- 
dom coset states with hidden permutation. This prob- 
lem can be viewed as a quantum extension of the dis- 
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tinguishability problems between two probability distri- 
butions used in conventional cryptography Jj. Finally, 
besides quantum OWFs there have been also investiga- 
tions on OWFs which rely on "hard" problems appearing 
in other areas of physics such as statistical physics |8i] , op- 
tics , and mesoscopic physics of disordered media [13] . 

In this paper we establish a theoretical framework for 
quantum public-key encryption based on qubit rotations. 
In particular, we explore the trapdoor and one-way prop- 
erties of functions that map integer numbers onto single- 
qubit states. Moreover, we present an asymmetric cryp- 
tosystem which is provably secure even against powerful 
quantum eavesdropping strategies. 

II. QUANTUM TRAPDOOR (ONE-WAY) 
FUNCTIONS 

In this section we introduce the notion of the quantum 
trapdoor OWF, that maps integer numbers to quantum 
states of a physical system. The discussion involves a sce- 
nario where all of the parties (legitimate users and adver- 
saries) possess quantum computers and are only limited 
by the laws of physics. 

A. Definition and properties 

Definition. Consider two sets § and Q which involve 
numbers and quantum states of a physical system, re- 
spectively. A quantum OWF is a map QJt : § i-^- Q, which 
is "easy" to perform, but "hard" to invert. A quantum 
OWF whose inversion becomes feasible by means of some 
information (trapdoor information) is a quantum trap- 
door OWF. 

Throughout this work we will focus on quantum trap- 
door OWFs whose input is an integer s £ Z„ :— 
{0, 1, . . . ,n — l\n G N}, and its output is the state of 
a quantum system, say \4>s)- To elaborate further on the 
terms "easy" and "hard" , consider a quantum system 
initially prepared in some state |0) and let HI be the cor- 
responding Hilbert space. For a randomly chosen s G Z„ 
we apply an operation 0{s) : H i-^ H on the system, 
which changes the initial state jO) \(f>s) — C>{s) |0). 
The set of all possible output states of the quantum OWF 
is Q = { \4>s)\s G Z„}, and belongs to H. If the map 
dJl : Z„ I— > Q is a bijection there is a unique s G Z„ such 
that |0) \4>s), i-e., 3Jt is one-to-one and |Z„| = |Q|. 

The map s t—^ must be "easy" to compute in the 
sense that, for a given s G Z„, the transformation on the 
system's state |0) — > \4>s), can be performed efficiently 
on a quantum computer with polynomial resources. On 
the other hand, in order for the map s <—>■ \(f>s) to serve as 
a quantum OWF, its inversion must be a "hard" problem 
by virtue of fundamental principles of quantum mechan- 
ics. In other words, given a state chosen at random 
from Q, there is no efficient quantum algorithm that suc- 
ceeds in performing the inverse map \4>s) i— > s (i.e., re- 



covering the integer s from the given state \4's)) with a 
non-negligible probability. 

Actually, by definition the inversion of a quantum 
OWF is a hard problem for everyone (legitimate users 
and eavesdroppers). For cryptographic applications, 
however, authorized users should be able to identify the 
state of the quantum system, and thus inverse the map 
s 1—^ \4>s)-, more efficiently than any unauthorized party. 
Hence, it is essential to introduce a trapdoor information 
which makes the inversion of the map computationally 
feasible for anyone who possesses it. 

Having introduced the notion of quantum trapdoor 
OWFs in a rather general theoretical framework, in the 
following we specialize the present discussion to a partic- 
ular family of such functions based on single-qubit rota- 
tions. 



B. A quantum trapdoor function based on 
single-qubit rotations 

For the sake of simplicity, we will present our quantum 
trapdoor OWF in the context of single-qubit states lying 
on the X — z plane of the Bloch-sphere. The main idea 
can be easily extended to qubit states that lie on the 
three-dimensional Bloch sphere. 

Let us denote by { |0^), II2}} the eigenstates of the 
Pauh operator Z = (|02)(0z| — |lz)(lz|), which form 
an orthonormal basis in the Hilbert space of a qubit H2. 
A general qubit state lying on the x — z plane can be 
written as \ilj{d)) = cos (6*72) \0^) + sin (0/2) where 
< 6 < 27T. Hence unlike the classical bit which can store 
a discrete variable taking only two real values (that is "0" 
and "1" ), a qubit may represent a continuum of states on 
the X — z Bloch plane. Introducing the rotation operator 
about the y axis, n{9) = e'"'^^/^ with j> = i( |1^)(0^| - 
|0z)(l2| ), we may alternatively write \ip{0)) — TliO) \0z)- 

The input of the proposed quantum trapdoor function 
is a random integer s uniformly distributed over Z2" with 
n G N, and a qubit initially prepared in \0z)- Thus, n- 
bit strings suffice as labels to identify the input s for 
fixed n. For given values of n G N and s G Z2n, the 
qubit state is rotated by s9n around the y-axis with On = 
7r/2"~^. Hence, for some fixed n G N, the output of the 
OWF pertains to the class of states Qn ^ {\'fps{6n))\s E 
Z2",0„ = 7r/2"-i}, with 

\MOn)) = 7^(s0„)|o,) 

= -o^{^) |0.)+sin(^) (1) 

Clearly, both of the input and output sets (i.e., Z2" and 
Q,i, respectively) remain unknown if n is not revealed. 

For a given pair of integers {n,s}, the function s ^ 
iV's(^'n)) is easy to compute since it involves single-qubit 
rotations only. In particular, it is known that any single- 
qubit operation can be simulated to an arbitrary accu- 
racy e > 0, by a quantum algorithm involving a universal 
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set of gates (i.e., Hadamard, phase, controUed-NOT, and 
7r/8 gates) |3j. Moreover, this simulation is efScient since 
its implementation requires an overhead of resources that 
scales polynomially with log(e~^). 

Inversion of the map s i— > \^ps{On)) means to recover 
s from a given qubit state Itjjsidn)) chosen at random 
from an unknown set Q„. Nevertheless, let us consider 
for the time being that n is known. In this case, the 
inversion of the map reduces to the problem of discrim- 
ination between various non-orthogonal states chosen at 
random from a known set Q„. The number of non- 
orthogonal states increases as we increase n, whereas 
for n >> 1 we have for the nearest-neighbor overlap 
{ipsiOn)\ips+i{0n)) = cos(6'„/2) ^ 1. Hcncc, a projective 
von Neumann measurement cannot distinguish between 
all of the states for n >> 1, since the number of possible 
outcomes in such a measurement is restricted by the di- 
mensions of the state space of the system (i.e., qubit in 
our case). 

One has therefore, to resort to more general mea- 
surements which can be always described formally by 
a positive operator-valued measure (POVM) involving a 
number of non-negative operators [3|. In the theoreti- 
cal framework of POVMs, an input state is associated 
with a particular outcome of the measurement, while op- 
timization is typically performed with respect to vari- 
ous quantities (e.g., probability of inconclusive results, 
mutual information, conditional probabilities, etc). It is 
worth noting, however, that some of these strategies are 
not applicable for the states of the set Q„, since they 
are not linearly independent when n > 2 (e.g., see Ref. 
[ll|). In any case, according to Holevo's theorem [3], the 
classical information that can be extracted from a single 
qubit by means of a POVM is at most 1 bit, whereas n 
bits required to identify the randomly chosen s £ 1,2^ for 
fixed n. Hence, we see that for a given n ^ 1 the map 
s 1-^ \^s{0n)) acts as a quantum OWF that is "easy" to 
perform but hard to invert. Actually, the inversion may 
become even harder if n is not publicly announced, thus 
rendering the sets from which s and |V's(^ti)) are chosen 
(that is, and Q„, respectively) practically unknown 
(see also discussion in Sec. lIVp . 

The map s ^—^ | (0„)) may also act as a trapdoor 
OWF when it involves two consecutive rotations. To 
demonstrate this fact, let us assume that after TZ{s0n), a 
second rotation TZ{m9n) is applied to the same qubit, 
with a randomly chosen integer m G such that 

s + m — c mod 2". The state of the qubit after 
the second rotation becomes \ipc{9n)) = T^icdn) \0z) = 
'R{m9n)'R{s9n) |0z). Having access to the qubit before 
and after the second rotation (i.e., given the qubit states 
h/'s(^n)) and \^c{dn))), we are interested in deducing m. 
This task, however, requires substantial information on 
both of the numbers s and c, which is not possible for 
n 1. More precisely, as discussed earlier, in this case 
only negligible information can be extracted from the 
state IV's(^n)) about the randomly chosen s, which thus 
remains practically unknown. Hence, irrespective of the 



amount of information one may have on c, the number 
m will also remain unknown. The one-way and trap- 
door properties of the map s i-^ |'0s(^ri)) will become 
clearer in the following, through the security analysis of 
an asymmetric quantum encryption scheme. 



III. QUANTUM PUBLIC-KEY ENCRYPTION 

In this section we introduce an asymmetric cryptosys- 
tem based on the quantum trapdoor OWF presented in 
Sec. ini In analogy to classical asymmetric cryptosys- 
tems, in the proposed protocol the encryption and the 
decryption keys are different. In the following we de- 
scribe the three stages of the protocol. 

Stage 1 — Key generation. Each user participating 
in the cryptosystem generates a key consisting of a pri- 
vate part d, and a public part e, as determined by the 
following steps. 

1. Choose a random positive integer n ^ 1. 

2. Choose a random integer string s of length iV i.e., 
s = {si, S2, ■ ■ ■ , sn), with Sj chosen independently 
from Z2" . 

3. Prepare N qubits in the state |0z)®^. 

4. Apply a rotation 'R}-^\sj9n) on the jth qubit, with 
9n = 7r/2"~^ Thus, the state of the jth qubit 

becomes |V'sj (^'n))j — '^^■'Hsj9n) \0z}, and is of the 
form ([T]). 

5. The private key is d = {n, s}, while the public key 
is e = {N, \'$i^^\9n))}, with the iV-qubit state 

Clearly in the proposed protocol, the private key is clas- 
sical whereas the public key is quantum as it involves the 
state of N qubits. Moreover, note that each user may 
produce multiple copies of his/her own public key as the 
quantum state is known, and thus its copying does not 
violate the no-cloning theorem. 

Stage 2 — Encryption. Assume now that one of 
the users (Bob) wants to send Alice an r-bit message 
m — (toi, TO2, . . . , TOr), with mj £ {0,1} and r < N. 
To encrypt the message, he should do the following steps 
without altering the order of the public- key qubits: 

1. Obtain Alice's authentic public key e. If r > N, he 
should ask Alice to increase the length of her public 
key. 

2. Encrypt the jth bit of his message, say mj, by 
applying the rotation TZ^^^uijir) on the corre- 
sponding qubit of the public key, whose state 
becomes IV's^.m, (6'n))j = U'-^Xm^n) \^jjsA9n)) j ■ 
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3. The quantum ciphertext (or else cipher state) is 
the new state of the TV qubits, i.e., |v&i^m(^'n)) = 
0^=1 \'4^sj,mj{dn))j, and is sent back to AUce. 

Note that, at the end of the encryption stage, the mes- 
sage has been encoded in the first r qubits of the cipher 
state. Thus, in the decryption stage AHce may focus on 
this part of the cipher state, discarding the remaining 
N ~r qubits, which do not carry any additional informa- 
tion. 

Stage 3 — Decryption. To recover the plaintext m 
from the cipher state Alice has to perform 

the following steps. 

1. Undo her initial rotations, i.e., to apply 
R'^^'^ {sj9n)~^ on the j-th qubit of the cipher- 
text. 

2. Measure each qubit of the ciphertext in the basis 

{|0.), %)}. 

In discussing the decryption stage, we would like to 
point out that the above two steps are basically equiv- 
alent to a von Neumann measurement which projects 
the jth qubit onto the basis { IV^Sj (^'n)), ''^(tt) IV'sj (^^n))}- 
Moreover, it is worth recalling here that w^\a)~^ — 
Rii)[a)^ = R^^\—a), while different rotations around 
the same axis commute, i.e., \iz'^'^\a),'RS^^ {[3)] = 0. 

IV. SECURITY 

The primary objective of an adversary (eavesdropper) 
is to recover the plaintext from the cipher state intended 
for Alice. On the other hand, there is always a more am- 
bitious objective pertaining to the recover of the private 
key from Alice's public key. A cryptosystem is consid- 
ered to be broken with accomplishment of any of the two 
objectives, but in the latter case the adversary has access 
to all of the messages sent to Alice. In this section we 
discuss various security issues related to the encryption 
scheme of Sec. IIIII 



A. Distribution of public keys 

In contrast to symmetric cryptosystems, in an asym- 
metric cryptosystem a KDC is burdened with the dis- 
tribution of public keys whose secrecy is not required. 
Nevertheless, the KDC has to verify still the public key 
of each entity participating in the cryptosystem. Typi- 
cally, in conventional cryptography the outcome of this 
verification is a public certificate which consists of two 
parts; a data part which contains the public key as well 
as information about its owner, and the verification part 
with the signature of the KDC over the data part. Hence, 
such a certificate essentially guarantees the authenticity, 
or else integrity, of the public key of each entity. 



Authentication is a crucial requirement for secure, clas- 
sical or quantum, encryption schemes since without it 
any encryption scheme is vulnerable to an impersonation 
attack In modern cryptography, secrecy (confiden- 
tiality) and authenticity are treated as distinct and inde- 
pendent cryptographic goals In particular, public-key 
encryption aims at confidentiality whereas other crypto- 
graphic goals (such as data integrity, authentication, and 
non-repudiation) are provided by other cryptographic 
primitives including message authentication codes, dig- 
ital signatures, and fingerprints. Following the same at- 
titude, throughout this section we focus on the security 
provided by the quantum encryption scheme under con- 
sideration. 

To emphasize, however, the importance of authenticity, 
in the encryption stage of the protocol described in Sec. 
IIIII it is explicitly stated that Bob should be able to ob- 
tain an authentic copy of Alice's public key. A quantum 
digital signature scheme for authentication purposes was 
proposed in [HI , and relies on mapping classical bit-strings 
to multi-qubit states. We believe that the main results of 
can be also adapted to the single-qubit OWF discussed 
here. Nevertheless, the creation of public certificates for 
quantum keys is not an easy task, since digitally signing 
an unknown qubit state is not possible . In any case, 
authentication of quantum messages remains an interest- 
ing question in the field of quantum cryptography, but it 
is beyond the scope of this paper. 

B. Secrecy of the private key 

The private key of each entity consists of two parts i.e., 
d — {n,s}. The first part is a randomly chosen positive 
integer with the only constraint being n 3> 1. Never- 
theless, to present quantitative estimates on the entropy 
of the private key, in the following we consider that n is 
uniformly distributed over a finite interval N = [ni,nii], 
with n\ 1. Thus, the entropy of the first part of the 
private key is H{n) — log2(|N|), where |N| denotes the 
number of elements in N. The second part of the private 
key involves a random integer string s, which is encoded 
on the state of the N qubits of the public key. For a 
given value of n, say n = v, each random element of s 
is chosen independently and has a uniform distribution 
over 712" ■ Hence the sting s is also uniformly distributed 
over = {(ai,a2, . . . ,ajv)|aj G ^2"}, and its entropy 
is given by H{s\n — v) — Nv. The entropy of the en- 
tire private key is given by the joint entropy -ff (n, s), i.e., 
H{d) = H{n) + H{s\n) - log2(|N|) + E.eNPM^^(s|n = 
iy) = \og{\N\) + N{n^ + ni)/2. 

Let us estimate now the classical information one may 
extract from the quantum public key. For a given value 
of n = ly, the jth element of s is chosen at random 
from 7^2" , and the corresponding qubit of the public 
key is prepared in the pure state |V's (^i/))j- From an 
adversary's point of view, however, who does not have 
access to Sj, the jth qubit of the public key is pre- 



5 



pared in a pure state chosen at random from the set 
Q„=. = {\-^s,{Ou)) I s, e Z2.;0, = 7r/2"-H, with aU 
the states being equaUy probable. Accordingly, one can 
easily show that for v > 2, the density operator for the 
jth qubit is of the form 

1 ^""^ 11 

Summing over all possible values of n and taking into 
account its uniform distribution over N, we obtain p^^^ — 

|Nr^E„'^pk(^n) = 1/2- Moreover, each qubit is pre- 
pared independently of the others, and thus the state of 
the entire public key reads 

PP^-JIT. p(n,s)|vl/(pk)(0„))(vl/(P^)(^?„)| 

(2b) 

while we obtain for the corresponding von Neumann en- 

tropy5(e)=Ef=i^(pS) = ^- 

The secrecy of the private key d is guaranteed by the 
Holevo's theorem. In particular, let us denote by I{x, d) 
the mutual information between the private key, and a 
variable containing the information an adversary (Eve) 
may have obtained by performing quantum measure- 
ments on the public key. Since the public-key qubits are 
prepared at random and independently in pure states, we 
have from Holevo's theorem I{x, d) < S{e) = N. Hence, 
I{x, d) < H{d) provided 

log2(|N|) +iVn » TV, (3a) 

where n = (nu -I- ni)/2. Clearly, to satisfy condition ([5a|) 
it is sufficient to have either n ^ 1 or logjdNj) » N . 
In the protocol of the previous section, both of these 
requirements are fulfilled simultaneously since n is chosen 
at random from the set of positive integers N with the 
constraint n » 1. Hence, the inequality /(x, d) <C H{d) 
also holds that is. Eve's information gain is much smaller 
than the entropy of the private key d, which thus remains 
practically unknown to her. Accordingly, the conditional 
entropy H{d\x) is given by H{d\x) = H{d) — I{x, d) w 
H{d), which establishes the uniformity of the private key 
over D = N X , after the measurements on the public- 
key state. 

So, we have seen that by making the public key avail- 
able to every one, we do not compromise the security 
of the protocol for n ^ 1, i.e., the public key may re- 
veal only negligible information about the private key. 
When multiple copies of the public key, say k, are simul- 
taneously in circulation. Eve's mutual information with 
the key increases, but is again upper bounded as follows 
I{x,d) < Nk. In this case, secrecy of the private key is 
always guaranteed if 

log2(|N|)-^iVn> A^fc, (3b) 



which defines an upper bound on the number of copies of 
the public key that can be issued. This is in contrast to 
conventional public-key cryptosystems, where there are 
no such limitations. 

To summarize, the secrecy of the private key is guar- 
anteed by the fact that the public key is quantum and 
unknown to every one except Alice. Moreover, the state 
of each public-key qubit is chosen at random and inde- 
pendently of the other qubit states. In other words, there 
is no redundancy or pattern in the public key, that could 
be explored by a potential adversary. Information gain 
on the state of the public key (and thus the private key) , 
can be obtained only by performing measurements on 
the public-key qubits, at the expense of disturbing irre- 
versibly their state. In any case, according to Holevo's 
theorem, this information gain cannot exceed one bit per 
qubit and thus, for k copies of the public key simulta- 
neously in circulation, the private key is secret as long 
as condition (j3bp is satisfied. Furthermore, by virtue of 
the no-cloning theorem 3| , Eve cannot create additional 
copies of Alice's quantum public key, besides the copies 
provided by Alice or the KDC. In particular, the fidelity 
of the clone for each public-key qubit is smaller than one 
and thus, the fidelity of the public- key clone drops 
exponentially with the key length N. 

Finally, it is worth noting that according to the key- 
generation stage of Sec. IIIIl there is a onc-to-onc corre- 
spondence between the private key and the public key. As 
a result, any information an adversary may obtain about 
the state of the jth public-key qubit \ipsj {Qn))j , is imme- 
diately associated with the the jth element of the private 
string s. One may alter this situation, by applying a ran- 
dom permutation H on the public-key qubits, before they 
become publicly available. In this case, the jth element of 
the private string s is mapped to the state of the H(j)th 
qubit (i.e., Sj 1— *■ IV's^ (^n))n(j))j which is unknown to Eve 
if H is unknown. Hence, even if Eve were able to know 
precisely the state of each public- key qubit, she would 
have to guess the right permutation in order to deduce 
the private string s. From another point of view, permut- 
ing the public-key qubits for a given private key is equiv- 
alent to preparing the public-key qubits in states deter- 
mined by a permutation of the private string H(s), which 
is unknown to Eve. In this case, the private key consists 
of three parts, i.e., d' — (n, s,H). The corresponding 
joint entropy is given by H{d') — H{d) -f _ff (H|s, n), with 
H{d) defined earlier. Accordingly, the left-hand side of 
Eqs. ^ increases by i/(H|s,n), whereas the maximum 
information gain for a potential adversary is determined 
by the Holevo's bound and remains constant. 

In the following we analyze the security of our encryp- 
tion scheme, against various types of attacks aiming at 
the recover of the plaintext and/or the private key, from 
the quantum ciphertext. These attacks are generaliza- 
tions of the corresponding attacks on conventional asym- 
metric encryption schemes In contrast, however, to 
their classical counterparts, in the quantum attacks Eve 
does not know the state of the quantum public key, but 



6 



is allowed to perform arbitrary operations and measure- 
ments on it. The only assumption in the following anal- 
ysis is that Alice's decryption device is manufactured so 
that is automatically deactivated when it performs k con- 
secutive decryptions on A^-qubit states. In this way we 
guarantee that no more than k copies of Alice's public 
key will be used. When these copies are exhausted, Al- 
ice must generate a new pair of keys (e', d'), and update 
accordingly her decryption device. To this end, the old 
private key may act as a quantum password, which en- 
sures authorized access to the decryption device. 

C. Chosen-plaintext attack 

Typically, in a chosen-plaintext attack. Eve is al- 
lowed to obtain a number of plaintext-ciphertext pairs 
of her choice. More precisely, given k copies of Alice's 
public- key state ppk, and k plaintexts in binary form 
{ai, a2, . . . , a^}, with a.j e {0,1}''^ and rj < N, she 

obtains a sequence of cipher states {pi^\ . . . 
where 

The collective rotation on rj qubits is defined as 

1i^'\^) = ^n^'\x,ip). (4) 

i=l 

Subsequently, Eve may explore her database, in order to 
decrypt an unknown message encrypted with Alice's pub- 
lic key, or gain further information on Alice's private key. 
For the sake of simplicity, and without loss of generality, 
in the following we assume that rj = N, W j. 

Let us discuss first whether Eve can gain significant 
information, by encrypting plaintexts (i.e., obtaining ci- 
pher states) of her choice. As discussed in the previous 
subsection, Eve can obtain only negligible information 
about the private key, by performing measurements on 
the public-key qubits. Thus, for Eve the private key is un- 
known, and uniformly distributed over D. Accordingly, 
the state of the public key ppk is chosen at random from 

the ensemble {j'(d), and is thus given by 

Eq. (|2b[) . Note now that this maximally mixed state 
remains invariant under Eve's rotations [l6| . and thus 
any plaintext aj is mapped to the same cipher state, i.e., 
SLj t-^ Ppk- Hence, on average, there is no information 
gain for Eve. The same conclusion can be drawn on the 
basis of Holevo's theorem. In particular, since the state 
of the public key is unknown to Eve, the cipher state is 
also unknown to her. Hence, Eve can extract at most 
Nk bits of information from measurements on all of the 
k cipher states, which is negligible in view of condition 

The remaining question is whether Eve can use her 
plaintext-ciphertext database, in order to decrypt Bob's 
message, which has been encrypted with the same public 



key. First of all, recall that Bob encrypts his message 
m G {0, 1}'', by transforming the state of the public key 
as follows 

As mentioned above, the mixed state ppk remains in- 
variant under these rotations, and thus all of the possi- 
ble messages yield the same cipher state, i.e., pc = Ppk- 
Hence, Eve cannot distinguish between distinct messages, 
and the encryption scheme under consideration is prov- 
ably secure [l4| . 

Finally, note that a protocol which is secure against 
chosen-plaintext attacks, is also secure against less pow- 
erful attacks, such as the ciphertext-only and the known- 
plaintext attacks jlj. In the following, we analyze the 
forward-search attack, that is a chosen-plaintext attack 
adapted to small message spaces. 

D. Forward-search attack 

The forward-search attack can be very efficient (at 
least for conventional cryptosystems) when the number 
of all possible messages is small. In this case. Eve may 
obtain multiple copies of Alice's public-key, and create 
the ciphertexts corresponding to each possible message. 
Subsequently, she may try to deduce the encrypted mes- 
sage, by comparing the unknown ciphertext with the ci- 
phertexts in her database. 

For the encryption scheme under consideration, how- 
ever, the crucial information is not the actual angle of the 
rotation, but rather whether a public-key qubit has been 
rotated or not (see stage 2 in Sec. IIII|) . Hence, instead 
of creating her own plaintext-ciphertext database, it is 
sufficient for Eve to compare the cipher state sent from 
Bob to Alice, with a copy of Alice's public-key. 

To analyze this attack, let us focus on an 1-bit mes- 
sage m £ {0, 1}. Bob encodes his message by applying 
the rotation TZ{rm:) on Alice's public-key qubit, which 
is prepared in a state \'ips{0n)) chosen at random from 
Qn, for some n 3> 1. To deduce Bob's message. Eve 
performs a SWAP test Q between the cipher qubit sent 
from Bob to Alice, and a copy of Alice's public-key qubit. 
In this way, she will learn whether the cipher-qubit state 
has been rotated with respect to the state of the public- 
key qubit. Such a test, succeeds with average probabil- 
ity psuc — 3/4. Moreover, at the end of the test the 
two qubits are entangled, and Eve cannot distinguish be- 
tween them. Hence, she cannot compare Bob's cipher 
state with the public-key state more than once. 

Alice and Bob can reduce considerably Psuc, by en- 
coding the message on the state of two, or more 
public-key qubits. For instance, using two public-key 
qubits in the state |V'si(^^n))i €5 |V's2(^n))2, the mes- 
sage "0" is encoded by applying an operation randomly 
chosen from the set {n'^^y{0)TZ'-^^0),-R'^^^TT)'}Z'-^\n)}, 
whereas "1" is encoded using an operation from the 
set {7^(l)(0)7^(2)(7r),7^(l)(7^)7^(2)(0)}. Thus, to deduce 
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Bob's message, Eve has to identify correctly the opera- 
tions performed on both qubits. In this case, Eve suc- 
ceeds with probabihty psuc — (3/4)^ « 0.56; that is, 
shghtly better than random guessing. In general, when 
each bit of a message is encoded to a qubits. Eve has to 
perform a successive SWAP tests to deduce it, and the 
average success probability is (3/4)"; that is worse than 
random guessing for a > 3. 

In the forward-search attack discussed above, Eve per- 
forms independent (individual) SWAP tests between the 
corresponding qubits of the cipher state and a copy of the 
public key. The question arises here is whether Eve may 
increase her probability of success, by performing collec- 
tive measurements on all the qubits of the cipher state 
and the public key. This issue deserves further investi- 
gation, and will be addressed elsewhere. Nevertheless, 
the mere fact that each public-key qubit is prepared at 
random and independently of the others, suggests that 
the optimal attack (i.e., the attack that maximizes Eve's 
probability of success), involves only individual measure- 
ments on various qubit pairs, consisting of the corre- 
sponding qubits of the cipher state and the public key. 
In particular, as discussed in Sec. lIVBi there is no re- 
dundancy or pattern in the public key (and thus in the 
cipher state) which could be explored in a collective mea- 
surement. 



E. Chosen-ciphertext attack 

In this scenario. Eve has access to Alice's decryp- 
tion device, but not to the private key. Providing judi- 
ciously chosen cipher states, she receives the correspond- 
ing plaintexts. The only restriction is that Alice's device 
does not allow more than k decryptions on A^-qubit states 
with the same private key. As before. Eve's objective is 
to deduce the private key, or decrypt Bob's message at 
a later instant, when she does not have access to the 
decryption device. 

The chosen-ciphertext attack can be analyzed along 
the lines of the previous sections. Let us discuss briefly, 
for instance, the security of the private key. In a chosen- 
ciphertext attack Eve can prepare arbitrary multi-qubit 
states, not necessarily related to the public key. For in- 
stance, Eve may ask for the decryption of an 7V-qubit 
state pe, where the qubits are entangled among them- 
selves as well as with another ancillary system. Never- 
theless, as soon as the qubits are input to the decryption 
device. Eve has no access to them. First, the decryption 
device undoes the initial rotations on the qubits, as de- 
termined by the private key d. For Eve, who does not 
have access to the private key, the input state is trans- 
formed to a state p'^ randomly chosen from the ensemble 

{p{d)M^\On)Pen^s\On)}, i.e., 

po^p'c = Y.pidM''^^iOn)Poni''Ho,,), (6) 



with the collective rotations given by Eq. ([4]) . Eve learns 
only the outcomes of the projective measurements per- 
formed at the end of the decryption stage. According to 
Holevo's theorem, however, these outcomes cannot pro- 
vide her with more than N bits of classical information 
about the private key. Of course Eve has the chance to 
perform up to k such decryptions, but as long as condi- 
tion (j3bp is satisfied, her information gain is not sufficient 
to determine the private key. 



V. DISCUSSION 

In conclusion, we have discussed cryptographic ap- 
plications of singie-qubit rotations in the framework of 
quantum trapdoor (one-way) functions. We also demon- 
strated how such a function can be used as a basis for 
a quantum public-key cryptosystem, whose security, in 
contrast to its classical counterparts, relies on fundamen- 
tal principles of quantum mechanics. More precisely, in 
the proposed encryption scheme, each user creates a key 
consisting of two parts: a private key, which is purely 
classical, and a public key, which involves a number of 
qubits prepared independently in states specified by the 
private key. The sender encrypts his message on the re- 
cipients public key by rotating the state of its qubits. A 
potential adversary cannot deduce the encrypted message 
without knowing the recipient's private key. 

One might have noticed here external similarities of the 
proposed encryption scheme to the YOO protocol • To 
avoid any misunderstandings, we would like to point out 
some crucial differences between the two schemes. First 
of all, the security of the YOO protocol is claimed to rely 
on quantum noise which renders the discrimination of 
closely spaced mesoscopic states impossible. On the con- 
trary, the security of the proposed public-key encryption 
scheme relies on the Holevo's bound and the no-cloning 
theorem. Second, the YOO is a symmetric encryption 
scheme whereas the present work involves asymmetric 
cryptosystems (different keys are used for encryption and 
decryption). Third, in the YOO protocol the two legiti- 
mate users share a short secret key in advance, which is 
expanded in the course of the protocol. No secret infor- 
mation is necessary for the functionality of the present 
protocol. 

Various security issues pertaining to the proposed 
asymmetric encryption scheme, have been analyzed in 
the context of a futuristic scenario, where all of the en- 
tities participating in the cryptosystem possess quantum 
computers, and are connected via ideal quantum chan- 
nels. There are various questions yet to be explored, es- 
pecially in connection with the extension of the present 
ideas to more realistic scenarios, where the legitimate 
users are limited by current technology. For instance, in 
the presence of a lossy quantum channel, quantum error- 
correction codes can be used to increase the robustness 
of the protocol. We have already seen that by encoding 
1 bit on two qubits we make the encryption more robust 
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against the forward-search attack. 

In any case, the purpose of the present work was to 
introduce certain basic ideas underlying quantum pubhc- 
key encryption, and set an appropriate theoretical frame- 
work. We also demonstrated how fundamental properties 
of quantum systems and certain theorems of quantum 
mechanics may provide a barrier, due to complexity of 
effort, between legitimate users and adversaries, which is 
the cornerstone of quantum public-key encryption. We 
hope that our results and discussion will stimulate fur- 
ther investigations on these topics, so that light is shed 
on crucial questions, pertaining to the power and the 
limitations of asymmetric quantum cryptography. More- 



over, such investigations might lead to the development 
of practical public-key encryption schemes, or other prov- 
ably secure quantum cryptographic primitives (e.g., dig- 
ital signatures, hash functions, etc). 
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